svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail
Fabian Keil
freebsd-listen at fabiankeil.de
Wed Jun 7 11:25:58 UTC 2017
Allan Jude <allanjude at FreeBSD.org> wrote:
> On June 6, 2017 5:44:25 AM EDT, Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
> >Allan Jude <allanjude at FreeBSD.org> wrote:
> >
> >> Author: allanjude
> >> Date: Tue Jun 6 02:15:00 2017
> >> New Revision: 319611
> >> URL: https://svnweb.freebsd.org/changeset/base/319611
> >>
> >> Log:
> >> Jails: Optionally prevent jailed root from binding to privileged
> >ports
> >>
> >> You may now optionally specify allow.noreserved_ports to prevent
> >root
> >> inside a jail from using privileged ports (less than 1024)
> >>
> >> PR: 217728
> >> Submitted by: Matt Miller <mattm916 at pulsar.neomailbox.ch>
> >> Reviewed by: jamie, cem, smh
> >> Relnotes: yes
> >> Differential Revision: https://reviews.freebsd.org/D10202
> >>
> >> Modified:
> >> head/sys/kern/kern_jail.c
> >> head/sys/sys/jail.h
> >> head/usr.sbin/jail/jail.8
> >[...]
> >> @@ -611,6 +613,8 @@ with non-jailed parts of the system.
> >> Sockets within a jail are normally restricted to IPv4, IPv6, local
> >> (UNIX), and route. This allows access to other protocol stacks that
> >> have not had jail functionality added to them.
> >> +.It Va allow.reserved_ports
> >> +The jail root may bind to ports lower than 1024.
> >
> >This description seems to imply that net.inet.ip.portrange.reservedhigh
> >isn't honoured while it actually is.
> I think the confusion here is: this option prevents root
> in the jail from using reserved ports. Nonroot users are
> always restricted
I understand that.
My point is the man page addition suggests that the reserved
port range end is hard coded while the actual end can be changed
with net.inet.ip.portrange.reservedhigh.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20170607/434b14da/attachment.sig>
More information about the svn-src-all
mailing list